information technology governance (itg) - PACIS

Download PDF
18 downloads 2274 Views 171KB Size Report
Comment
The term 'governance' in IT has been used to broadly describe the policies, structures, ... and assist organizations in the creation of an effective IT security plan.
Pacific Asia Conference on Information Systems (PACIS)

PACIS 2009 Proceedings Association for Information Systems

Year 2009

INFORMATION TECHNOLOGY GOVERNANCE (ITG) PRACTICES AND ACCOUNTABILITY OF INFORMATION TECHNOLOGY (IT) PROJECTS – A CASE STUDY IN A MALAYSIAN GOVERNMENT-LINKED COMPANY (GLC) Noor Ismawati Jaafar∗

∗ Macquarie

University, isma [email protected] University, [email protected] This paper is posted at AIS Electronic Library (AISeL). † Macquarie

http://aisel.aisnet.org/pacis2009/31

Ernest Jordan†

INFORMATION TECHNOLOGY GOVERNANCE (ITG) PRACTICES AND ACCOUNTABILITY OF INFORMATION TECHNOLOGY (IT) PROJECTS – A CASE STUDY IN A MALAYSIAN GOVERNMENT-LINKED COMPANY (GLC) Noor Ismawati Jaafar Macquarie Graduate School of Management Macquarie University, NSW 2019, Australia [email protected]/[email protected] Professor Ernest Jordan Director, Higher Degrees Research Marketing & Development Macquarie International Macquarie University, NSW 2109, Australia [email protected]

Abstract This paper analyses and presents a case study on ITG practices in a Government-linked company (GLC) by looking at the ITG process, accountability and the desirable behaviours of IT at the project level of the organization. The study reveals a number of important findings in the context of ITG implementation at the project level. As far as ITG documentation is concerned, there are numerous standards currently available of which many are continuously undergoing further development by IT professionals. Nonetheless, there is still no one correct way of governing IT in an organization, more specifically, in IT project management. In addition, there is not much known concerning the ITG outcome of ITG practices in Malaysian organizations. Thus, this paper shares the level of readiness and awareness of ITG practices, for this particular case, when it comes to implementing IT projects. Keywords: IT governance, IT governance practices, accountability, IT outcome

1

INTRODUCTION

The adoption of IT governance (ITG) practices in organizations has been strongly driven by the implementation of corporate governance principles. Among others, it promotes transparency and accountability in IT decision making. Over the years, ITG has emerged as an important issue for organizations throughout the world with huge IT spending and heavy IT exploitation to achieve commercial objectives. While there are many standards available, of which many continue to be developed by IT professionals, there is still no one correct way of governing IT in an organization. In addition, there is little known concerning the outcome of ITG practices in Malaysian organizations. This paper analyses how IT governance practices are implemented in a Government-linked company (GLC) whose main business is providing services. This paper focuses on structure, processes and the outcome of ITG in IT projects. But, what is interesting about this paper is that it looks into the ITG practices at a point of time that is almost the same as visible benefits are expected from the organization’s overall transformation to become a regional champion. The next few sections of this paper contain a detailed literature review regarding ITG, IT decision making and accountability of IT projects, and the motivational factors of conducting this research. This is followed by a discussion of the research questions and methodology used for the case study. The description of the case is presented next followed by the findings. Finally the conclusions and directions for future work are discussed to ensure the research viability, continuity and theory development for the enhancement of knowledge.

2

IT GOVERNANCE REVISITED

The term ‘governance’ in IT has been used to broadly describe the policies, structures, and management processes involved in managing IT functions (Brown & Sambamurthy, 1999; Weil & Broadbent, 2000; Sohal & Fitzpatrick, 2002). The nature of ITG, which is embedded in the culture, work practices and internal processes, has resulted in the social behaviour perspective of ITG in organizations. As a result, a more precise ITG definition that is relevant to the case is adopted from Weil and Ross (2004) who have defined ITG as “specifying the decision rights and accountability framework to encourage desirable behavior in using IT” (Weil & Ross, 2004, p.2). Historically, the way IT has been governed is strongly associated with the structure or configuration of the IT function. It reflects the locus of responsibility for making IT management decisions. There are three (3) possible types of locus – centralized, decentralized and hybrid (Camillus & Lederer, 1985; Tavakolian, 1989; Main & Short, 1989; Fiedler et al., 1996). Organizations with a centralized IT have the locus of responsibility of making IT management decisions in a central unit or corporate area. Those with a decentralized IT have an individual business unit or department that makes IT management decisions. Finally, if the responsibility is shared between the central and business units, then organizations have a hybrid IT locus for management decision making.

3

THEORETICAL BACKGROUND

The research was framed around the following facets: 3.1 3.1.1

Components of ITG ITG Structure

The first component of ITG is the ITG structure. In most cases, the possibility of ITG effectiveness is determined by the way the IT function is organized and where the IT decision-making authority is located in the organization. Regarding the former, it should, however, be noted that with the

widespread proliferation and infusion of IT in organizations, involving, for example, technical platforms, shared IT services centres, and local business-embedded applications, the notion of a single homogenous IT function is almost obsolete (Peterson, 2003). Weill and Ross (2004) have recommended that for ITG implementation to be effective, organizations need to establish performance objectives and continuously design governance to achieve these objectives.

3.1.2

ITG Processes

The second component is ITG processes. In the process of establishing an ITG framework, an organization may follow some internationally recognized reference framework such as COBIT, ISO 17799, or ITIL (Von Solms, 2005; Symons, 2005). •

COBIT

Control Objectives for Information and related Technologies or COBIT was first developed in 1996 by the Information Systems Audit and Control Association (ISACA) but it is issued and maintained by the IT Governance Institute (ITGI) as a framework for providing control mechanisms. COBIT has 34 processes and high-level control objectives with four main domains (ITGI, 2000). It represents a comprehensive framework for implementing IT governance with a very strong auditing and control perspective. COBIT, in many cases, is preferred by IT auditors and IT Risk Managers (Von Solms, 2005). •

ITIL

The second framework that can be adopted for ITG is the IT Infrastructure Library (ITIL), which was initially developed in the United Kingdom. It was promoted by the Office of Government Commerce (OGC) and is gaining attraction in the global IT community as a framework for IT governance. The library currently consists of eight sections that focus on identifying best practices for managing IT service levels and it is particularly process-oriented. While COBIT takes the perspective of audit and control, ITIL takes the perspective of service management (Niessink & Van Vliet, 2000; Behr et al., 2004). The two frameworks are more complementary than competitive and components of both can be taken to build an ITG framework (Symons, 2005). •

ISO 17799

The International Organization for Standardization (ISO) has developed the third major governance framework, ISO 17799. It was first released by the ISO in December 2000. However, it is based on British Standard 7799, which was finalized in 1999. The intent of the standard is to focus on security and assist organizations in the creation of an effective IT security plan. Since risk management is a component of ITG, there is relevance to ISO 17799, and parts of it can be adopted in building an overall ITG framework (ISO, 2000). •

Other Control Frameworks

While the three (3) frameworks mentioned above are the most widely cited ITG control frameworks, various researchers have conducted a review of other tools including the Six Sigma, CMM/CMMI, ASL, IT Service CMM, SAS70, ITGAP (IT Governance Assessment Process) (Peterson, 2004) and ITG Assessment (Larsen et al., 2006).

3.1.3

ITG Outcome

The third component is the ITG outcome. In general, there are a number of decision making tools that would be applicable to measuring ITG effectiveness such as the Balanced Scorecard model IT decisions. The measure is known as the IT Balanced Scorecard (Van Grembergen & Van Bruggen, 1997), Strategic Alignment Model (Venkatraman et al., 1993), Information Economics (Parker, et al.,

1988) and Critical Success Factors (CSF) (Rockat & Short, 1989). One author has recently proposed an ITG Assessment Process (ITGAP) model with which business and IT executives can assess the effectiveness of their organization’s ITG. An ITG framework could be useful for meeting the challenge of providing accurate, visible and timely information while securing information assets (Peterson, 2004). It was clearly differentiated between financial reporting and ITG (Damianides, 2005). However, the ITG outcome for the IT projects would depend primarily on the success of the projects. There are a few issues of ITG at the IT project level as discussed by Bowen et al., (2007). According to them the “IT investment approval process is to ensure that IT investments generate significant returns to the organization relative to alternative investment opportunities” (p, 198). A combination of financial, non-financial and risk analysis could be used to examine the IT investment proposals. They further discussed the evaluation of IT projects. There are two types of evaluation; interim evaluation of IT projects, where costs and benefits can be revised in light of the latest information about the project, and post-implementation evaluation of IT investment that will assist organizations to improve future IT investment by comparing actual figures against estimated figures. 3.2

Implementing IT projects Requires Governance

The implementation of many IT projects in organizations worldwide face the risk of being cancelled or cost overruns. In 1995, a survey of 365 IT executive managers, representing 8,380 applications in the USA found that 31 percent of them would be cancelled prior to completion. In addition, more than half of the projects will cost an average of 189 percent of their original budgets (Standish Group, 1995). In 1995, interviews with 45 researchers and consultants in the UK showed that seven out of ten IT projects fail in some respect (OASIG, 1995). IT projects or initiatives fail for several reasons. A study done in Canada of 1,450 public and private sector organizations revealed the three most common reasons for IT project failures (Whittaker, 1999). They are:



Poor project planning – which is attributed to inadequate risk management and a weak project plan.



A weak business case – where systems need should be justified directly to the organization’s business needs.



Lack of top management involvement and support – where securing buy-in from the top is an essential step to avoid failure before the IT project even begins.

In the study done by OASIG, factors that lead to failure of IT projects include poor management or project management, poor articulation of user requirements, inadequate attention to business needs and goals, and failure to involve the user properly (OASIG, 1995). Nonetheless, effective communication among team members, which should consist of representatives from various backgrounds with different expertise, would result in IT investment project implementation success. More particularly, effective ITG involves a myriad of decisions taken by several different groups of decision makers across organizational boundaries. Team members would be able to interact and understand each others’ roles and responsibilities in achieving improved project management (Venkatraman, 1993; Murray, 2001).

However, good project governance is not similar to good project management that ensures favourable outcomes of IT projects even though they are closely related to each other (Sharma, et al., 2009). In their recent qualitative study of ITG and project management in ten British organizations, they found that good ITG at the projects level is facilitated by having an experienced and well-trained project management team and established methodology for managing IT projects. They further suggested that an organization may have good project management but not good project governance. Their study also identified that project governance and ITG may be weak even though project management is strong. 3.3

Accountability for IT Projects

Accountability and control is one of the six facets of ITG that is commonly associated with corporate governance or strategic information system planning (SISP) in organizations (Willson & Pollard, 2009). In ITG implementation, the goal is to create an accountability framework that identifies the people who are responsible for ensuring that their organization gets value from IT investment decisions (Broadbent, 2003; Ross and Weill, 2002). ITG, which is defined as “specifying decision rights and accountability framework to encourage desirable framework when using IT” (Weill & Ross, 2004), when extended to the IT project level, includes how project managers (PMs) are “held responsible for the outcome of decisions in their IT project implementation” (Grover et al., 2007). As a general rule, whoever is involved, shares the success or failure of IT projects in any organization. This includes business units that have requested or will use the outcome; IT personnel, particularly the IT PM champion; senior management and any vendor or consultants who have participated in the IT project. It is, however, the PM who will be ultimately responsible for the outcome of his or her project. Raising concern once a project is in serious difficulty represents a failure on the part of the PM to appropriately manage the project. Among the important keys to ensure IT project success are: •

Willingness to be candid about the project status, where the PM is expected to meet difficulties head-on and correct them as they arise.



Full-time position of PM will minimize the possibility of the project being neglected and avoid it drifting into serious difficulty.



Full utilization of project management methodology ensures that the project plan is properly carried out and should be employed at the onset of the project.



Lead by example is when the PM shows his or her full commitment to the success and development of the project and increases the level of participation of team members (Grover et al, 2007).

4

MOTIVATION FOR THIS STUDY

The researcher was motivated to undertake this research because of the limited number of studies on ITG implementation in Malaysia and the consequent dearth of available literature and data. More specifically, the researcher has chosen to research ITG practices in an organization categorized as a Government-linked Company (GLCs). GLCs refer to business entities with a primary commercial objective and in which the Malaysian Government (government) has a direct controlling stake (Ministry of Finance, 2007, p 92). The controlling stake enables the government to involve itself in the appointment of the Board of Directors (BOD), nomination of senior management staff, establishing policy direction for these companies and making major decisions (e.g. contract awards, strategy, restructuring and financing, acquisitions and divestments, etc.) (Putrajaya Committee on GLCs (PCG), 2006; Ministry of Finance, 2007). The setting up of GLCs in Malaysia can be referred to as the formation of state-owned corporations, enterprises or entities in which the government has control over important decisions through the process of corporatisation. This represents the

application of specific commercially-oriented management techniques to improve the efficacy of government business enterprises (Fisher, 1998). This technique has been widely used domestically and internationally for the services industry. As at 1 December 2007, there were 39 GLCs in Malaysia from various industries such as auto/industrial products, financial institutions, healthcare, communications and media, power, property, technology and transportation (PCG, 2007). The significance of GLCs to overall economic development is indicated in their market capitalization relative to the Kuala Lumpur Composite Index (KLCI), which is higher at 55%, even though GLCs represent only 23 % of companies forming the KLCI. In terms of capital investment, the expenditure of listed GLCs on fixed capital investment is RM13.8billion, accounting for 18% of the national gross fixed capital formation. This high figure is attributed to their high capital intensity ratio, being the primary providers of utility and infrastructure services. The significance of GLCs is further shown in the number of personnel employed, which was 325,722 or 3% of the national workforce in 2006 (Ministry of Finance, 2007). As a result of the Asian financial crisis in 1997-1998, the performance of GLCs has been unsatisfactory and, for the last 15 years, their performance in terms of financial and operations has been lagging (Ministry of Finance, 2007). This prompted the government to initiate a transformation programme for GLCs to become high performance companies and meet the government’s expectations as the most important stakeholder. In addition, a Transformation Manual was launched in July the same year. The manual contains measures to enhance the effectiveness and capability of the BOD, review and revamp procurement policy, improve performance management, enhance regulatory environment, and enhance the capabilities of GLC leaders and managers (PCG, 2005). One of the areas that was emphasised is the practice of Corporate Governance (CG) where ITG constitutes an important aspect. It has been heavily highlighted with the objective of promoting transparency, effectiveness and accountability for how the organizations are managed in order to attract investors, fulfil all stakeholders’ interests and increase public confidence (Badawi, 2005). Although there have been studies on ITG practices conducted in many countries (Weill & Broadbent, 2000; Weill & Ross, 2004), most of the organizations investigated are from for profit and non-profit organizations with multiple business units. In addition, much research on ITG in organizations has focused on the top and senior management, especially at the C-level personnel (Weill & Broadbent, 2000; Weil & Ross, 2005; Symons, 2005). ITG would best be studied by including other management levels in the organization, including the strategic, management and operational levels (De Haes & Van Grembergen, 2006). They argue that some ITG practices work on one specific level while other practices can be applied at many levels. For example, the IT strategy committee can only be applied at the strategic level while COBIT can be applied at a strategic level as well as at the management and operational level. It is hoped that ITG patterns can be explored from the different management levels to examine the effectiveness of its design and implementation. As part of an ongoing study of ITG implementation in a Malaysian GLC, this paper, although briefly covering corporate ITG, only discusses ITG practices and accountability at the IT project level. The study attempts to primarily understand ITG implementation in a Malaysian GLC by specifying decision rights and accountability for desirable use of IT at two levels of the organization. However, this paper will only address the ITG practices at the project level of the GLC. The grand research question for this study is: •

How ITG practices are implemented in the context of a GLC in Malaysia?

The study further attempts to address the following sub-questions: •

What IT decisions are made at the IT project level and how?



How does ITG enhance the accountability of IT decision makers in achieving a desirable outcome at the project level?

The above phenomena exist internally and are not widely known to the ‘man on the street’. The phenomena are embedded in the organization’s culture and work practices among the actors and require systematic investigation. Due to the lack of empirical research on the embedded nature of ITG implementation in organizations, a case study is deemed to be the most appropriate research strategy. Case studies are often associated with, but are not restricted to exploratory or descriptive research (Ghauri, 1983; Bonoma, 1985; Yin, 1994). As pointed out by Bonoma (1985) and Yin (1994), case studies are useful when the researcher wishes to investigate a phenomenon that is difficult to study, except in its natural setting, and when the concepts are not easily quantified. In a case study, the researcher gathers primary evidence directly through in-depth contact with organizational actors focusing on actual tasks and processes in their natural settings, employing an evolving set of multiple methods as field observations proceed and producing publications that incorporate analysis and rich descriptions of organizational contexts and practices (Ferreira and Merchant, 1992). Phenomena are often studied in their actual on-site context, which results in events, activities, processes, people and relationships being subject to observation and analysis (Alder and Alder, 1994; Newman, 2003; Silverman, 2000). Data for the study was collected using a combination of semi-structured interviews, documentation analysis and observation techniques to provide an in-depth and rich understanding of ITG practices in the organization. The interviews were conducted face to face with top management, corporate ITG personnel and IT project managers over a period of one month as part of an on-going research. Respondents for the interviews were selected using purposeful sampling. A list of names was obtained from the organizational charts with assistance from the Corporate ITG unit. As far as respondents to the interviews for this paper are concerned, their names were obtained from the General Manager (GM) of the IT Services and Control (ITSC) Division, who is responsible for the group’s IT resources management including assets and people. The GM of ITSC recommended names of 12 IT project managers. An invitation e-mail was sent to each individual project manager. However, due to their tight schedule at the time the interviews were conducted, only four project managers agreed to participate in the research. In order to ensure a congruence of the data collected for the purpose of writing up the case, another technique was used. This involved the analysis of documentation including going through minutes of meetings of the IT projects, project proposals, project plans, project progress reports and also the structure of IT project team members. While the two techniques mentioned before provide an interesting insight into the ITG practices at the IT project level, observations were also done to understand the working culture and environment of the organization. With the respondents’ consent, the researcher spent approximately one to two hours at each respondent’s office to observe how the IT project managers interact with the team members and conduct project progress meetings. Multiple visits were subsequently carried out to continue the observations each time upon consent of the respondents. This was imperative to uncover the embedded ITG practices that involve interaction and communication with multiple levels of personnel.

5

DESCRIPTION OF THE ORGANIZATION

The organization is a GLC organization, which was originally a government department in Malaysia. It was corporatized in 1987 and became the nation’s first privatized entity, providing infrastructure services to both domestic and business consumers. TeaMCo was listed on Bursa Malaysia in 1990. It

has a large workforce of approximately 36,000 employees in Peninsula and East Malaysia. For anonymity, the organization will be referred to as TeaMCo throughout the paper and the names of all the individuals who have participated in the study will not be disclosed. TeaMCo’s vision is to be Malaysia’s leading new generation infrastructure provider, embracing customer needs through innovation and execution excellence. TeaMCo has recently completed a de-merger exercise as a strategic move to deliver values to all the stakeholders in the area of renewed energy. The exercise was undertaken to support the organization’s evolution as one of Malaysia’s foremost companies, which will achieve prominence at home and leadership in the region. The Group IT (GIT) in TeaMCo is headed by a Vice President (VP) of IT who is responsible for the overall GIT activities. There are five divisions in the GIT, namely, the IT Services and Control, IT Architecture Integration & Consultancy, IT Strategic Planning & Governance, IT Application Services and IT Infrastructure Services. The structure and activities of each one of them are shown in Figure 2.

Vice President IT Line of Business Corporate Centres TeaMCo Subsidiaries External customers

IT Services and Control

IT Architecture Integration & Consultancy

IT Application Services

Align

IT Infrastructure Services

IT Strategic Planning & Governance

XXXX Systems

Align

IT Portfolio Management

Figure 2: Group IT Model of Collaborative Key Functions and Organizational Relationships to Support De-merged Business Needs

5.1

ITG Practices in TeaMCo

TeaMCo has, on average, between 3.75-4 % of its operating revenue spent on IT investment annually. This is equivalent to between RM660-RM704 million a year. Through Group Information Technology (GIT), efforts to implement ITG practices have commenced in TeaMCo with direction from the Top Management, namely, the Chief Executive Officer (CEO) who took office in 2004. The then newly appointed CEO realized that there were sporadic decision loci of IT related matters. At that time he had difficulties in approving IT investment, the amount of which was simply enormous. The GIT vision is enabling business growth and transformation with reliable, effective and secure IT services focusing on the following five strategic thrusts: •

Contain Operating Costs and Improve Cost Effectiveness



Establish End to End XXXX (de-identified) Systems to Support Next Generation Services



Enrich Customer Experience via Consolidated Platform



Reposition Group IT as a Revenue Contributor



Reinforce and Strengthen IT Execution Capacity

The formalization of the Corporate Information Technology Governance (CITG) unit has assisted the organization to control their IT investment, procurement and operations. They have developed an ITG Manual, which is the guiding principle for the organization and focuses on the IT principle, IT infrastructure, IT investment and prioritization, IT architecture and business applications need (Weill & Ross, 2004). 5.2

ITG Practices for IT Projects

Excluding the maintenance and support projects, there are approximately 125 applications currently on-going in TeaMCo. These projects range from less than RM500,000 to more than RM10billion worth of IT investment. The setting up of the GIT was to control the usage of IT in TeaMCo. Apart from other aspects of IT, importance was also given to project management. This involves huge IT investment and the top management felt that an alignment was urgently required to ensure that TeaMCo could benefit from using IT. One of the general managers (GM) of IT that was interviewed described her experience of taking up the responsibility of looking after the governance of IT project management as follows: “That was it. So when I was brought in 2007 boss said you had to take it up. It’s very important especially on project management. Out of this one, there are a lot of projects. We have to align all that. So look into governance.” (GM1). There was a need to extend ITG to the IT project level and the responsibility of documenting it was vested in the top management. 5.3

IT Decisions at Project Level

Depending on the types of applications to be developed, the project team members normally consist of a few stakeholders such as senior management, line of business users, end-user IT, IT personnel, representatives from procurement and representatives from finance. In TeaMCo, PMs are not involved in making IT decisions that cover the IT principle, IT infrastructure, IT investment and prioritization, IT architecture and business applications need. These are normally done prior to the implementation of IT projects by a committee called the IT Project Review Committee (ITPRC), which is responsible for approving IT projects and initiatives in TeaMCo. This is supported by a statement from the PM of one of the largest IT projects in TeaMCo: “IT investment decision is made by ITPRC. It was done prior to project implementation because before you go into architecture and support, it will up before you get an approval from CRM steering committee. So that one I was not involved. It was conducted by CRM team. For the IT investment, they will present to ITPRC for the approval on the investment as well as the CRM steering committee.” (IT PM2) The involvement of PMs would include making presentations of architecture, infrastructure and business application needs to the IT Technical Review Committee (ITTRC). This confirms that the documents comply with the Group IT Enterprise Architecture (GITEA), which is a part of the ITG manual. “So we have to present our architecture and design to this ITTRC to get endorsement. And the endorsement will be based on our GITEA. GITEA is our Group IT Enterprise Architecture, which is part of ITG principles.” (IT PM2) PMs are, however, primarily responsible for managing the IT projects and overseeing their progress. This is done through frequent formal communication of the available IT project committees: “As PM, we will have a weekly review meeting in which we will review the activities, action plans, resolutions on whatever has been during the meeting. And we also have our monthly review meeting with our Project Director in which we will update him on the status as well as seeking certain approval or decisions for those decisions beyond our control.” (IT PM2)

5.4

QMS Processes

ITG at the IT projects level, however, is not new in TeaMCo. In TeaMCo, the governance of IT project management is considered a matured process as TeaMCo adopted the ISO9001 standards for managing IT projects 12 years ago. Its implementation has been very successful whereby a Quality Management System (QMS) document is certified and widely used for implementing IT projects in TeaMCo. “I think in process wise of governing IT projects, the QMS document has been very effective. It’s interpreting day-to-day operation, under the umbrella of ITG. I would normally go to the grounds to see its compliance at least once a year..…..basically I would say it is already matured.” (IT PM1) The QMS is a very comprehensive document that contains the details of IT projects implementation in TeaMCo. Among others, it contains guidelines for managing projects including planning, IT resource allocation, project progress monitoring and reporting to the management. “Basically when we manage IT project, the procedures that we follow on is solely based on the QMS. It’s a guideline. There are many things in the QMS in terms of managing new IT project and maintenance and support. It starts from the beginning where you propose …..up to progress report to management. All that is in the QMS.” (IT PM3) “In managing IT projects, we have to refer to the project plan or quality plan for IT resources such as the responsible team leaders from technical and development side, users, their detailed roles and responsibilities.” (IT PM1) Apart from implementing QMS, TeaMCo is also considering the adoption of ITIL for improving the service delivery of IT to the users and stakeholders. This is a continuous improvement to the QMS. The following statement from one of the PMs gives an indication of TeaMCo’s direction: “Internally we can say that we have everything in place. But from the customer’s point of view, we are still not at par with their expectation. That’s why we want to go for ITIL. Basically if we want to improve our products and services, we need to improve on the service delivery.” (IT PM1) 5.5

Accountability of IT Project Managers

The project managers interviewed described ITG as policies and procedures. The following excerpts from the interviews exhibit a pattern of their understanding and awareness of ITG: “For me governance is a policy that we use in terms of developing a certain project. We have to govern by the policy before the implementation. Basically in terms of security, development of the project itself, the thinking ahead of how the implementation would be and things like that. So this policy will be governing the whole project implementation.” (IT PM1) “ITG is a set of policies of do’s and don’ts of activities for me to implement a project.” (IT PM2) “ITG is a set of rules set up by the management for us, the IT project managers to follow on.” (IT PM3) The IT PMs have further described that their responsibilities for managing IT projects become desirable behaviour in using IT, which is translated into key performance indicators (KPI) for individual PMs. In return, most PMs expect to be rewarded for the desirable behaviour in terms of career progression and promotion: “This one has to do with KPI because initially before I start a project I should agree with my Project Director or my immediate superior on what are the expected deliverables, be it on time as well as the budge. Based on that KPI, if I can achieve the KPI, I can be rewarded in terms of monetary, namely, bonus and secondly for career advancement such as promotion.” (IT PM2)

“For a start, when appointed as a PM, we receive an appointment letter, which states what my roles and responsibilities are in terms of basic tasks that you need to do. For example, PM, team leader and team member’s job descriptions are all in there. Motivational factors include….towards the end everybody will be evaluated. If you don’t achieve what you need to do, it will affect your performance.” (IT PM3) 5.6

ITG Performance at Projects Level

The PMs have been asked to rate the importance of the following items of their IT project on a scale of 1(not important) to 5 (very important). The mean scores from the IT PMs are tabulated in Table 1 as follows:

Outcome

Mean Score

Timeliness delivery

5

Within budget

4.75

Meeting user requirement

5

Satisfaction of stakeholders

4.75

Fulfil functionalities

4.5

Table 1: Mean Score of ITG Outcome at IT Project Level When asked about other outcomes that they feel are important, the following aspects were highlighted: “I would think that compliance of hardware and architecture is very important for us project managers. This is because we have to ensure that the results of our IT projects will be able to adapt to our existing architecture environment which our ITG is based on.” (IT PM2) “Other things would include compliance to strategic direction and IT policy. We must also ensure that our projects will meet industry standards which in our case the eTOM. It is a standard that all companies in our industry adopt worldwide. That’s why we have to ensure that our business processes comply with all their requirements.” (IT PM4)

6

CONCLUSION AND FUTURE DIRECTION

ITG practices in TeaMCo IT, at the project level, have been quite extensively embedded in their daily operations and business processes, with the utilization of the QMS document, which is certified by ISO 90001. PMs are involved in the recommendation of the technical aspects of the project such as architecture and infrastructure, whereby they have to ensure that it complies with the GITEA requirements. On top of that, PMs in TeaMCo have been following the Project Management Methodology (PMM) in managing their IT projects, which construct a part of the QMS. From the findings, governance of IT projects can be considered as a matured process with the enforcement of the QMS. Nonetheless, the issue of enforcement of ITG to individual IT projects entails continuous improvement to ensure that IT services are delivered according to the satisfaction of the users and stakeholders. As for the IT decisions, PMs are only involved in making decisions that relate directly to their project implementation such as resource allocations and monitoring of the project’s progress. PMs are also responsible for updating the status of IT projects to the Project Director. Other IT decisions such as IT investment, architecture and infrastructure, and application needs are made by an IT committee, namely, the ITTRC for the technical specification and evaluation, and the ITPRC for the approval of IT projects or initiatives.

With the QMS as guidelines and the formal appointment of a PM through an agreement, the PMs are responsible for ensuring timely delivery of their IT projects. At the end of the day, the performance of an individual PM is assessed and will be reflected in the form of reward and recognition. This has encouraged the desirable usage of IT in TeaMCo. So far, this paper only discussed the governance of IT projects as part of a bigger scope of ITG practices. As for the implications for future research, research could be conducted in another GLC in a different industry. It would be of interest to make a comparison on the modus operandi of the IT services delivery per se by looking at the available standards, procedures and documentation for governing IT projects.

References Alder, P. & Alder P. (1994). Observational techniques in Denzin, N. & Lincoln, Y. Handbook of qualitative research. Thousand Oaks. CA: Sage, pp 377-392. Badawi, A. (2005). Opening Speech. Paper Presented at the Launching of GLCs Transformation Manual. July 29, Kuala Lumpur. Behr, K. and Kim, G. & Spafford, G. (2004). The visible ops handbook: Starting ITIL in 4 practical steps. Information Technology Process Institute. Bonoma, T. 1985, “Case research in marketing: opportunities, problems, and a process”. Journal of Marketing Research, vol. 12, pp. 199-208. Bowen, P. L., Cheung, MY. D. & Rohde, F. H. (2007). Enhancing IT governance practices: A model and case study of an organization’s efforts. International Journal of Accounting Information Systems, 8(2007), 191-221. Broadbent, M (2003). The Right Combination, in CIO, April, Retrieved March 3, 2008 from http://www.cio.com.au on 3 March 2008. Brown, C.V. & Sambamurthy, V. (1999). Repositioning the IT Organization to Enable Business Transformation, Pinnaflex Educational Resources, Cincinnati, OH. Camillus, J. & Lederer, A.L. (1985). Corporate strategy and the design of computerized information systems. Sloan Management Review, 42(4), pp35-42. De Haes, S. & Van Grembergen, W. (2006). Information Technology Governance Best Practices in Belgian Organisations. Paper presented at the 39th Hawaii International Conference on System Sciences - 2006. Ferreira, L. D. & Merchant, K. A. (1992). Field research in management accounting and control: a review and evaluation. Auditing, Accounting and Accountability, 5, pp 3-34. Fielder, K., Grover, V., & Teng, J. (1996). An empirically derived taxonomy of information technology structure and its relationship to organizational structure. Journal of Management Information Systems, 13(1), pp 9-34. Ghauri, P. N. (1983). Negotiating international package deals: Swedish firms in developing countries. Stockholm:Almquist & Wiksell Grover, V., Henry, R. M. & Thatcher, J. B. (2007). Fix IT-business relationships through better decision rights. Communication of the ACM, 50 (12), pp 80-86. Information Technology Governance Institute (ITGI) (2000). CobiT: Governance, Control and Audit

for Information and Related Technology. Available online: www.itgi.org. Information Technology Governance Institute (ITGI) (2001). Board briefing on IT Governance. Available online: www.itgi.org. Information Technology Governance Institute (ITGI) (2003). Board briefing on IT governance (2nd ed.). Rolling Meadows: Illinois. Information Technology Governance Institute (ITGI) (2008). IT Governance global status report (Excerpt). Information Technology Governance Institute (ITGI). (2000a). Executive summary. Control Objectives for Information and Related Technologies (COBIT). Rolling Meadows: Illinois. International Organization for Standardization (2000). Available at http://www.iso.org. Larsen, M. H., Pedersen, M. K. & Andersen, K. V. (2006) IT Governance: Reviewing 17 IT governance tools and analysing the case of Novozymes A/S. Proceedings of the 39th Hawaii International Conference on System Sciences – 2006. Main, T.J., & Short, J. E. (1989). Managing the merger: building partnership through IT planning at the New Baxter. MIS Quarterly, 13(4), pp 469-484. Ministry of Finance (2007). Economic Report 2007/2008. Percetakan Nasional Malaysia Berhad. Kuala Lumpur, Malaysia. Murray, J. P. (2001). Recognizing the responsibility of a failed information technology project as a shared failure. Information Systems Management, Spring 2001, pp 25-29. Newman, W. L. (2003). Social research methods: qualitative and quantitative approaches. 5th ed. Thousand Oaks. CA: Sage Niessink, F. & van Vliet, H (2000). Software maintenance from a service perspective. Journal of Software Maintenance: Research and Practice, Vol 12(2), March/April, pp. 103-120. Organizational Aspects Special Interest Group (OASIG) (1995). Available at http://www.itcortex.com/Stat_Failure_Rate.htm#The%20OASIG%20Study%20. Accessed on 6 February 2007. Peterson, R. (2004). Crafting information technology governance. Information Systems Management, Fall 2004, 7-22. Peterson, R. R. (2003). Information strategies and tactics for Information Technology governance. In W. Van Grembergen (Ed.), Strategies for Information Technology Governance. Hershey, PA: Idea Group Publishing. Putrajaya Committee on GLC High Performance (PCG) (2005). GLC transformation manual. Retrieved December 4, 2005, from http:// http://www.pcg.gov.my/index.asp. Putrajaya Committee on GLC High Performance (PCG) (2007). GLCT Programme 2007 Interim Progress Review, Retrieved December 4, 2008 from http:// http://www.pcg.gov.my/index.asp Putrajaya Committee on GLC High Performance (PJC) (2006). Catalyzing GLC transformation to advance Malaysia’s development: GLC transformation scorecard and update. April. Available at: http://www.pcg.gov.my/PDF/SCORECARD_BINDER.pdf. Accessed on 1 May 2007.

Ross, J. & Weill, P. (2002). Six IT Decisions Your IT People Shouldn’t Make. Harvard Business Review, November, pp 85-91. Sharma, D., Stone, M. & Ekinci, Y. (2009). IT Governance and Project Management: A Qualitative Study. Database Marketing & Customer Strategy Management, 16(1), pp 29-50. Silverman, D.(2000). Doing Qualitative Research: A Practical Handbook. Sage. Sohal, A. S., and Fitzpatrick, P. (2002). IT governance and management in large Australian organizations. International Journal of Production Economics, 75(1-2), 97-112. Standish Group (1995). Chaos (Application project failure and success). The Standish Group International. January. Available at http://www.standishgroup.com/chaos.html Symons, C. (2005). IT governance framework: Structure, processes and communication. Cambridge USA: Forrester Research Inc. Tavakolian, H. (1989). Linking the information technology structure with organizational competitive strategy: a survey. MIS Quarterly ,12(3), pp 309-317. Venkatraman, N. (1993). Continuous strategic alignment: Exploiting information technology capabilities for competitive success. European Management Journal, 11(2), 139-149. Von Solms, S. H. (2005). Information Security Governance - Compliance management vs. operational Management. Computers and Security, 24:6, pp. 443-447. Weill, P. & Broadbent, M. (2000). Managing IT infrastructure: a strategic choice in Zmud, R. (Ed.), Framing the Domains of IT Management: Projecting the Future through the Past, Pinnaflex Educational Resources, Cincinnati, OH. Weill, P. & Ross, J. W. (2004). IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Boston: Harvard Business School Press. Weill, P., & Ross, J. W. (2005). How effective is your IT governance? Centre for Information Systems Research,Research Briefing (Vol. V): Massachusetts Institute of Technology. Whittaker, B. (1999). What went wrong? Unsuccessful information technology projects. Information Management & Computer Security, 7(1), pp 23-29. Willson, P. & Pollard, C. (2009). Exploring IT Governance in Theory and Practice in a Large MultiNational Organisation in Australia. Information Systems Management, 26, pp 98-109. Yin, R. K. (1994). Case Study Research: Design and Methods (2nd ed). Thousand Oaks, CA: Sage Publications.